I came across a piece of malspam that caught my eye. I did not try to run this since it was not responding in Any.Run and based on the results from URLHaus, the site was taken offline. Looking at VT and some other sites, I was not able to find any more information about this maldoc. The fun part with this one was trying to figure out what the macro was doing without having to execute it. Based on what I saw in the PoSH script, I am thinking that this may be Predator the Thief since I have seen it use ‘certutil’ numerous times (never with the argument option though). The maldoc can be found over here.

Using my goto ‘oledump‘ from Didier Stevens I was able to locate the stream that had the goodness (or badness depending on perspective) in it.

As seen above, the stream that we need to focus in on is stream 8 (denoted by the capital ‘M’). Using the following command, I was able to see the base64 encoded statement that most likely had the malicious call in it (it is at the bottom of the output).

As you can see here, there is some reverse string action going on which breaks up the base64 statement. The first part is pretty easy to make out – “winmgmts:root\cimv2:Win32_Process.” It is now the rest of the string that we need to try to figure out. using CyberChef I was able to figure out a recipe that would take care of that (see the link below in the reference section). What is left is the following Powershell script.